CN101699815B - Network attack automatic execution/exhibition system and method - Google Patents

Network attack automatic execution/exhibition system and method Download PDF

Info

Publication number
CN101699815B
CN101699815B CN2009101935015A CN200910193501A CN101699815B CN 101699815 B CN101699815 B CN 101699815B CN 2009101935015 A CN2009101935015 A CN 2009101935015A CN 200910193501 A CN200910193501 A CN 200910193501A CN 101699815 B CN101699815 B CN 101699815B
Authority
CN
China
Prior art keywords
attack
network
module
knowledge
attacking
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009101935015A
Other languages
Chinese (zh)
Other versions
CN101699815A (en
Inventor
范冰冰
王涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Normal University
Original Assignee
South China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Normal University filed Critical South China Normal University
Priority to CN2009101935015A priority Critical patent/CN101699815B/en
Publication of CN101699815A publication Critical patent/CN101699815A/en
Application granted granted Critical
Publication of CN101699815B publication Critical patent/CN101699815B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a network attack automatic execution/exhibition system comprising one or a plurality of attack source host computers, one or a plurality of attack target host computers, a network attack knowledge base, a network attack environment generation module, a network attack automatic execution module, a network attack data acquisition module and a network attack exhibition module. The invention also discloses a network attack automatic execution/exhibition method comprising the following steps: S1, acquisition, analysis and standardized description of attack knowledge; S2, preparation of attack environment; S3, controllable execution of attack; S4, data acquisition of the process and the result of the attack; and S5 and attack exhibition. The invention is based on a distinctive attack knowledge base generated by network attack, has perfect attack knowledge, has the functions of automatically generating the network attack environment, automatically reproducing the network attack, and automatically or semi-automatically generating the network attack, and has positive meanings for teaching, training and scientific research of network attack and defense as well as research into defense measures.

Description

A kind of network attack automatic execution and method
Technical field
The invention belongs to the information security of computer network technical field, particularly relate to a kind of network attack automatic execution and method.
Background technology
The network attack correlation technique mainly appears in hacker's correlation attack instrument, Sniffer, IDS, security evaluation simulated strike and the network attacking and defending platform.Wherein IDS (Intrusion Detection System is used for intruding detection system) is through the some key point acquisition of information (as keeping watch on and gathering) from user network or computer system; And according to necessarily rule or behavior pattern are analyzed; Find intrusion behavior or attack sign; And alarm, IDS has been a kind of Active Networks safety prevention measure of extensive use.It extracts known attack method and technical characterictic (critical behavior, to analyzing the most useful evidence) from original Audit data or network data, and forms intrusion feature database.IDS work is based on the foundation of attacking " characteristic " and estimate the intrusion detection model; The common method that the IDS detection model carries out data analysis is that misuse detects (the less usefulness of abnormality detection); Be a kind of detection technique, or be called the pattern matching detection technique all have certain pattern and characteristic according to the attack and the method for invading based on knowledge; Invade characteristic matching, find the invasion attack.It compares the various attack pattern in data of collecting and the predetermined feature knowledge storehouse.
In the recent period, research rises one after another to network attacking and defending platform both at home and abroad, from literal understanding network attacking and defending platform and network attack generation system bigger correlation is arranged.At present; The some key technologies of network safety prevention of the domestic information security engineering practice synthesis experiment platform that Shanghai Communications University arranged, the Chinese Academy of Sciences and the network attack and defense training platform of taking precautions against experiment porch, Zhongyuan Technical Faculty, in soft Jinlin University network (WSN) emulation system etc., famous IWSS16 (InfoWorld Security Suite 16) system, West Point Military School Information Assurance operation laboratory etc. are abroad arranged.
And to the actual investigation of domestic attacking and defending platform with to sum up analyze to find: the normally universal safety environmental level of hardware device and systems soft ware formation of experiment porch is taken precautions against in domestic information safety engineering experiment porch or network safety prevention usually; Comprise some security fields product and technology; It is the environment of piling up of a kind of LAN, safety product, computer, software systems, safe unit technology; And can accomplish the relevant examination (reality) of part safety and test; Its major part belongs to network or network security original reason experiment, and safety means type of manipulating experiment, on the platform safe unit integration good with have certain extensibility.Network attacking and defending function partial function normally in the platform; Generally can only build or dispose specific hardware and software environment and load attack tool by hand through manual again; Carry out indivedual simple network attacks and reappear test; Can not generate diverse network automatically and attack, remove behavior and the effect lack of quantitative analysis and visual in image the representing of this network attack.An other approach of network attacking and defending Platform Implementation is to adopt the principle of simulation, emulation; The simulated strike client is set; In the experimentize sexual assault simulation of data link layer, network layer, transport layer; Or the software emulation that fully in virtual network and hosted environment, carries out relevant attacking and defending experiment, not only the network attack simulation can only be confined to a small amount of simple attack kind, and its simulates realization really degree not enough at present; The protection end can only be done the functional module that some simply detect system attack, and analog result has certain discrepancy with true the attack.And external West Point Military School Information Assurance operation laboratory be with strong points towards information war be main attacking and defending system with the students'operation, IWSS16 is that test set is hit in main attack with software, does not mention that all network attack generates automatically and effect represents.
Chinese patent number is the method and system that 200910001244.0 application " method and system of network attack test " discloses a kind of network attack test; Wherein, This system comprises main control end and a plurality of agent side; Main control end is used to create test command, and said test command is sent to said a plurality of agent side, and the attack test result that said a plurality of agent sides are sent analyzes; Agent side is used to receive said test command, sends attack message according to said test command to equipment under test, and the attack test result is sent to said main control end.When a plurality of agent sides simultaneously when equipment under test sends attack message, can reach enough attack message pressure, and then improve the quality of network attack test.Its target is test, rather than represents; Do not propose to attack normalized claim simultaneously.
Chinese patent number is that 200710194909.5 application provides a kind of internal tracking method and network attack detection; Be used for when Network Intrusion Detection System is tested; Through configuration and the side of ganging up against, defence side, three parts of target side; And, corresponding internal check point come in pursuit attack, defence, under fire the different phase test with the whole life of attacking packet through being set in each part; That is to say, when Network Intrusion Detection System is tested, test with attack packet be filtered from attacking to, to be detected and in the whole process of destination host; The tester can be well understood to state and the information of packet at each important stage, and then generates test report easily and fast, exactly.Its target is attack detecting.
Chinese patent number is that 200810232685.7 application proposes a kind of attack method for early warning based on software defect and network attack relation excavation: the present invention provides a kind of attack method for early warning based on software defect and network attack relation excavation; Comprise: the defects detection subsystem, carry out static analysis and detection to rule-based software defect; Characteristics defect sequence library subsystem utilizes the defective implanted prosthetics to excavate and the relation of recording defect sequence and network attack; Attack prewarning determination sub-system, the record in detected vulnerability defect of target software and the characteristics defect sequence library is complementary, send and attack the early warning report.Its target is to defend leak to find.
Network attacking and defending platform still is in network attack in the preliminary experiment stage, particularly network attacking and defending platform and realizes that fully from more original manual operation state, even so network attack can be recurred and only limit to than the simple attack kind on the whole at present.The applicant thinks; Prior art is not carried out deep consideration in the following areas: 1. how system sets up network attack knowledge base and formalization expression effectively; 2. under the true environment of laboratory, generate various typical attack environment automatically; 3. the true network attack process of recurring is carried out its attack and effect and is represented in real time.Therefore, the network attack automatic creation system is not found like product at home and abroad, almost is blank in other words, and does not appear in the newspapers at present towards the network attack investigation and interrogation system of net alarm system.
Summary of the invention
Primary and foremost purpose of the present invention is to overcome the shortcoming and defect of prior art, and a kind of network attack automatic execution is provided.The exploitation of this system; Mainly be through in relative universal network (the Internet, LAN) information system environment; Develop to manage and call, generate automatically, recur at present typical network attack; Realization finishes the attack of whole process and representing of effect (harm and influence) from attacking the preparatory stage to network attack, and combines other technology to realize the network crime (attack) teaching and analytical system exploitation with this basis, is the innovation of and application technology theoretical to the network attack experiment porch.
Another object of the present invention is to overcome the shortcoming and defect of prior art, a kind of network attack automatic execution is provided.
Primary and foremost purpose of the present invention realizes that through following technical proposals a kind of network attack automatic execution comprises: a plurality of or attack source main frame, a plurality of or target of attack main frame also comprise:
The network attack knowledge base is used to collect typical attack knowledge, sets up the attack knowledge sample; Through analyzing, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence (attack command sequence and be meant the directive script form text of describing attack process or step) with the standardization mode; Attack knowledge, attack step are stored classifiedly according to characteristic;
Network attack environment generation module; Be used for searching corresponding attack knowledge based on attack type from the network attack knowledge base, i.e. attack context, target of attack and parameter are based on the requirement of depositing attack context; The operating system and the application system of configuration target of attack make it to meet the attack requirement;
The network attack automatic execution module is used for according to the attack type requirement, in the network attack knowledge base, searches the attack command sequence that the standardization mode is described, and carries out attack based on attacking command sequence; Said network attack automatic execution module comprises a plurality of aggressinogen child-operation modules that are used for based on the corresponding attack operation of attack script instruction execution; The network attack automatic execution module is based on the attack command sequence that finds; Load and attack the pairing aggressinogen child-operation of command sequence module, carry out and attack;
The network attack data collection module is used for attack source main frame and target of attack host machine attack process content transmitted data, status information data are collected, and sends to network attack to data of collecting and represent module;
Network attack represents module; Be used for data according to the collection of network collection module; Execution to generations such as attack process and attacking network, main frame and application systems; Represent in real time on graphical interfaces through analogy method, make the user clearly see attack process, result from graphical interfaces.
Be better to realize the present invention, said network attack automatic execution further comprises the network attack control management module, is used for network attack automatic execution/represent process to manage, control.
Said network attack knowledge base comprises:
The knowledge base collection module is used to collect typical attack knowledge, sets up the attack knowledge sample;
The KBM module is used for safeguarding the also attack knowledge in phase-split network attack knowledge storehouse, is decomposed into attack knowledge a plurality of attack operation steps and describes type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack, attack step are stored classifiedly according to characteristic.
Said network attack data collection module comprises:
Attack source main frame collection module is used to collect the attack of attack source main frame when carrying out each attack step and sends data and attack feedback data;
Target of attack main frame collection module is used for collecting the status data of target of attack main frame.
Said network attack automatic execution module is the network attack automatic execution module that realizes that automatic overall process attack is carried out or the controlled attack of single step is carried out.
Another object of the present invention realizes that through following technical proposals a kind of network attack automatic execution may further comprise the steps:
The collection of S1, attack knowledge, analysis and standardization are described: collect typical attack knowledge to greatest extent, set up the attack knowledge sample; Through analyzing, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack knowledge, attack step are stored classifiedly according to characteristic;
S2, attack context are prepared: from the network attack knowledge base, search corresponding attack knowledge based on attack type; Be attack context, target of attack and parameter; Based on the requirement of depositing attack context, the operating system and the application system of configuration target of attack make it to meet the attack requirement;
S3, controllable execution of attack: from the network attack knowledge base, read the knowledge of attack operation step, and search its corresponding command sequence of attacking; The network attack automatic execution module is according to attacking command sequence; Load corresponding aggressinogen child-operation module (said aggressinogen child-operation module is used for carrying out corresponding attack operation according to attacking instruction); Carry out the attack operation of this step, and collect corresponding attack feedback information; The repeat attack step is carried out, till attacking the command sequence completion;
S4, attack process and result's data collection: collect, the attack of attack source main frame when carrying out each attack step sent data and attacked feedback data among the recording step S3, and send to network attack and represent module; Simultaneously, extract the status data in the target of attack main frame, when state changes, collect recording and sending and represent module to network attack;
S5, attack and to represent: network attack represent module represent between each main frame, each main frame with graphics mode connect, data passes content, each main machine status information between each main frame.
For better realizing the present invention; Among the said step S1; Collect typical attack knowledge to greatest extent; Be meant specifically that through manual type or automated manner attack the description website from particular network and collect, download, the content of wherein collecting specifically comprises the classification of attack, the target property of attack, the detailed process of attack, the leak of attack and the result of attack;
Among the said step S1,, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking through analyzing; Specifically be meant; Attack knowledge sample to collect is the basis, under user guided, by the automated analysis instrument; Carry out the decomposition of attack knowledge; Attack process is decomposed into a plurality of attack operation steps, and promptly attack operation (command execution or network data are sent), target of attack, attack parameter, attack feedback, feedback processing (success/failure judgement, parameter extraction template or the like) are described type, the required software environment of attacking by the automated analysis instrument simultaneously;
Among the said step S1; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Be meant that specifically the standardization mode is described concrete network operation, operating data content and parameter, operation delay and expection feedback, feedback content analysis; Described standardization mode is described; Be meant the attack script instruction (like script format, parameter list, parameter attribute) of the corresponding various attack operation of definition; And be template with this directive script, attack process is described as a series of attack command sequence, the standardization of attacking is described; Required form is the basis that attack scriptization is carried out in the back, also is to realize attacking the basis that automatically performs;
Said step S2 attack context is prepared; Specifically be meant the target of attack environment that the configuration attack is carried out; From the network attack knowledge base, extract and attack required environment configurations requirement; Give in the operating side of being attacked on the main frame, carry out the corresponding configuration-direct of attacking, accomplish re-mounting, restart, starting/close the function of special services.
Among the said step S3, the network attack automatic execution module loads corresponding aggressinogen child-operation module (code) according to the requirement of attacking command sequence, gives this aggressinogen child-operation module with the attack parameter data, carries out and attacks, and obtain the corresponding feedback data.
Among the said step S5; It is that a network state is followed the tracks of display module that network attack represents module; Behind the data collection result who uses based on the standard interface receiving step S4 of XML, describe with graphics mode and to attack initial state, with the graphic animations mode; Describe the data receiver of each attack step and send content, describe target of attack, and finally describe attack result the feedback of attack operation, the state variation of description target of attack to reaching data.
Action principle of the present invention is: it is considered herein that attack process be one can decompose, normalizable process; Decomposition and standardization through to attack process are described, and attack process is decomposed into a series of attack operation (each operation is replaced by the attack script instruction, and develops corresponding aggressinogen child-operation module); With a typical attack process prescription is above-mentioned attack command sequence, and this is attacked command sequence hand over the network attack automatic execution module can realize the attack execution of automatic or manual control; Handing over attack to represent module attack process, feedback result and end-state graphically shows, can realize the initial target that attack process is carried out and dynamically represented.
The present invention compared with prior art has following advantage and beneficial effect:
The first, the characteristic network attack knowledge base that generates of attack Network Based: for network attack generates purpose automatically network attack is carried out proper classification, structuring and formal description, and set up characteristic network attack knowledge base.The attack process step is described as the scripting command sequence, and more standard ground shows, the controlled single step of flexible, real realization is attacked and carried out, for the analysis and the teaching of attack process provides basic means, also for realize attacking exploration and discovery provides reference in the future.
The second, the network attack environment generates automatically: automatic formation can produce the environment (like network topology, soft environment, leak utilization etc.) of certain attack according to customer requirements; On the network attack automatic execution module of attack source main frame, dispose the simulated strike instrument automatically, form automatically and attack.It mainly is the related experiment of attacking design to representative network; Build network attack through network security laboratories' facility environment and VMware Environment Design; Experimental design is a foundation to attack common information detection, to attack steps such as implementing, escape test experience mainly, stresses the assurance to key elements such as attack context, basic step, process features.The attack context of automation is to realize attacking the prerequisite that represents, but on other network attack teaching and research platform, does not all propose the thinking and the implementation of this respect.
Three, network attack reappears automatically.The starting point and the objective of all basic research all is to generate automatically around network attack, rather than other (like intrusion detection), so its research is brand-new innovative point.At first need carry out the accurate standardization of strictness to detailed process, characteristics that network attack takes place for the automatic generation of network attack describes; It is the expression of network attack knowledge form; Map network is attacked to generate and is required the concrete network attack taxonomy system that realizes to realize with sorting out; Set up attack knowledge model and behavior model to every type of attack, finished surface is to the foundation of attacking the network attack knowledge base that generates automatically.Reach the uniqueness that each network attack is described, and effectively support automatic generative process.Attack command sequence according to aforesaid standardization is described automatically performs attack operation, and receives the attack feedback, accomplishes and attacks.The network attack automatic execution module designs according to normalized target, itself is one and carries out the processor of attacking command sequence.Thisly be designed with reusability, autgmentability and flexibility preferably, can be next step development and explore attack engine of new attack method automatically and lay the first stone.
Four, the automatic or automanual generation of network attack realizes; Automatic or semi-automatic (part operation intervention) network attack reappears and is based on user instruction (network attack control and management module); Extract and load diverse network from the network attack knowledge base and attack the generation key element; On the attack source main frame, dispose the simulated strike instrument automatically, form automatically and attack.System development and agent side (embedding) software of disposing distributed context-driven control, effect collection, Control Network is attacked the recurrence process.
Five, attack and harm effect represent.To the behavior and the execution of attacking generation of network attack process, gather and calculate through the distribution related data, on graphical interfaces, represent in real time.Patterned attack means and process represent, and are the intuitional means that network attack is analyzed, studied, and bigger Practical significance is arranged.
Six, improve network crime investigation and interrogation system.Be the basis with the network attack knowledge base, the representative network process of commission of crime is carried out formalized description, and some typical attack safety are set up network crime case storehouse, network crime process is recurred in simulation and analysis is attacked in the network crime.This teaching, training to network attack and defence, scientific research, defensive measure research and analysis of cases or the like all have positive effect.
Seven, perfect network attack knowledge base.IDS intrusion feature database and this project propose content that the network attack knowledge base not only comprises in network attack characteristic/knowledge, extract environment has a great difference, and the also complete difference of attack signature (knowledge) method for expressing.The IDS attack signature is expressed and required is most critical, simple as far as possible; Its content and form is expressed all to realize that coupling is a purpose real-time; And this project proposes the network attack knowledge base; Then needing attack the various possibility details that generate complete comprising, is the complete knowledge that generates the attack process requirement.So the IDS intrusion feature database has only literal similitude, no essence correlation with this project network attack knowledge storehouse.
Description of drawings
Fig. 1 is a kind of network attack automatic execution of the present invention/represent block diagram of system;
Fig. 2 is a kind of network attack automatic execution of the present invention/represent frame model structure chart of system;
Fig. 3 is the flow chart of a kind of network attack automatic execution/exhibiting method of the present invention.
Embodiment
Below in conjunction with embodiment and accompanying drawing, the present invention is done to specify further, but execution mode of the present invention is not limited thereto.
A kind of network attack automatic execution of the present invention, as shown in Figure 1, comprising: a plurality of or attack source main frame, a plurality of or target of attack main frame also comprise:
The network attack knowledge base is used to collect typical attack knowledge, sets up the attack knowledge sample; Through analyzing, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence (attack command sequence and be meant the directive script form text of describing attack process or step) with the standardization mode; Attack knowledge, attack step are stored classifiedly according to characteristic;
Network attack environment generation module; Be used for searching corresponding attack knowledge based on attack type from the network attack knowledge base, i.e. attack context, target of attack and parameter are based on the requirement of depositing attack context; The operating system and the application system of configuration target of attack make it to meet the attack requirement;
The network attack automatic execution module is used for according to the attack type requirement, in the network attack knowledge base, searches the attack command sequence that the standardization mode is described, and carries out attack based on attacking command sequence; Said network attack automatic execution module comprises a plurality of aggressinogen child-operation modules that are used for based on the corresponding attack operation of attack script instruction execution; The network attack automatic execution module is based on the attack command sequence that finds; Load and attack the pairing aggressinogen child-operation of command sequence module, carry out and attack;
The network attack data collection module is used for attack source main frame and target of attack host machine attack process content transmitted data, status information data are collected, and sends to network attack to data of collecting and represent module;
Network attack represents module; Be used for data according to the collection of network collection module; Execution to generations such as attack process and attacking network, main frame and application systems; Represent in real time on graphical interfaces through analogy method, make the user clearly see attack process, result from graphical interfaces.
Said network attack automatic execution further comprises the network attack control management module, is used for network attack automatic execution/represent process to manage, control.
Said network attack knowledge base comprises:
The knowledge base collection module is used to collect typical attack knowledge, sets up the attack knowledge sample;
The KBM module is used for safeguarding the also attack knowledge in phase-split network attack knowledge storehouse, is decomposed into attack knowledge a plurality of attack operation steps and describes type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack, attack step are stored classifiedly according to characteristic.
Said network attack data collection module comprises:
Attack source main frame collection module is used to collect the attack of attack source main frame when carrying out each attack step and sends data and attack feedback data;
Target of attack main frame collection module is used for collecting the status data of target of attack main frame.
Said network attack automatic execution module is the network attack automatic execution module that realizes that automatic overall process attack is carried out or the controlled attack of single step is carried out, and present embodiment adopts automatic overall process to attack and carries out.
Frame model structure of the present invention is seen Fig. 2; 2 kinds of different attacks with embodiment 1 and embodiment 2 are example below, and detailed description application said system realization network attack automatic execution/represent detailed process is as shown in Figure 3:
Embodiment 1---and 3389 leaks are attacked automatically performs and represents implementation process
1. the analysis of attack knowledge, tissue and standardization
1.1 utilize the knowledge base collection module, attack and leak announcement website from CVS is international, quote 3389 standard to describe;
1.2 be described as the basis by 1.1 3389 attack knowledge that obtain, utilize the KBM module, operate down the user, 3389 attack knowledge are decomposed and described, parameters such as the type of attack, required software environment are described;
Attack step:
1: ftp?120.0.01
2:nmap-sT-O? 120.0.01
3:net?use// 120.0.01/ipc/user 120.0.01
Target of attack: all kinds of main frames of Installation of W inXP patch 3;
Attack result: the guest account obtains the administrator right of this main frame;
1.3 the KBM module is described as attacking command sequence with the attack operation step that is obtained in each decomposable process with the standardization mode, describes concrete network attack operation, operating data content and parameter, operation delay and expection feedback, feedback content and analyzes or the like;
Being described as after the decomposition:
Attack process is described as a series of attack command sequences:
Attack (0) (initialization): #%TARGENT_IP%#=120.0.0.1, #%TARGENT_USER%#=administrator, #%TARGENT_PASS%#=" "
attack(1)=”ftp#%TARGET_IP%#”
result(1)=”*Connection?accepted?by?remote?host*”=ok
attack(2)=attack(1)=”nmap-sT-O#%TARGET_IP%#”
result(2)=”*\n#%MYSQL_PORT%#open?tcp?mysql*”=ok
attack(3)=net use\\#%TARGENT_IP%#\ipc$″″/user:″
#%TARGENT_USER%#″
... (summary)
Attack result is described: authority (guest)=administrors
Attack context configuration: the full version of target of attack=WinXP; Patch level=SP3; Application program=no requirement (NR);
1.4 attack, attack step are stored classifiedly according to characteristic
With each step of above-mentioned attack, (the order line operation is like nmap..., HTTP operation as visit by action type Http:// xxxx.com/aaa.asp? Or=1And 1 or the like) classifies, and indicate, write down the relevant parameter of each instruction with a specific instruction;
To attack title (" 3389 attack "), attack type (craft), and corresponding attack context will be required (the full version of target of attack=WinXP; Patch level=SP3; Application program=no requirement (NR)) carries out record;
2. attack context is prepared
2.1 confirm attack context: attack context is each version of WinXP;
2.2 confirm target of attack and parameter: IP, user name that target of attack is set;
2.3 based on the requirement of depositing attack context, the configuration target of attack makes it to meet the attack requirement;
2.3.1 the operating system of configuration target of attack: requiring attack context is WinXP; (method: from virtual machine library, extract corresponding blank WinXP virtual machine file, as the target of attack main frame.)
2.3.2 the application system of configuration target of attack: this example does not have;
2.3.3 the relevant setting of configuration target of attack: corresponding IP and user account in the configuration target of attack main frame.
3. controllable execution of attack
3.1 from the network attack knowledge base, read attack step knowledge, and search corresponding attack command sequence; Promptly read the listed attack command sequence of above-mentioned steps 1.3, and extract wherein variable (---variable #%TARGENT_IP%#, attack number of the account---#%TARGENT_USER%# etc.) like target of attack IP;
3.2 the network attack automatic execution module loads corresponding aggressinogen child-operation module according to attacking command sequence, carries out the network attack operation of this step, and collects corresponding attack feedback information;
In the 0th step, by attack script instruction, carry out Attack (0) and attack initialization procedure: the user is provided with corresponding attack configuration parameter: as the main frame that target of attack is set is the IP of the target of attack virtual machine set up just now.
The 1st step, press the attack script instruction, carry out Attack (1), press script and variate-value structure and carry out the attack instruction, obtain corresponding feedback;
3.3 the repeat attack step is carried out, till attacking the command sequence completion;
4. the data collection of attack process
4.1 the attack of each step in above-mentioned steps 3 controllable execution of attack is sent data and is attacked feedback data, is collected, record, and sends to network attack and represent module;
When each step in the attack script was carried out, attack source main frame collection module was collected the attack of attack source main frame when carrying out each attack step and is sent data and attack feedback data; Target of attack main frame collection module is collected the status data in the target of attack main frame.For example, when Attack (1) carries out, " ftp xxx.xx.xxx.xx " by attack source main frame collection module record, corresponding ftp connect by target of attack main frame collection module record.
4.2 simultaneously, extract the status data in the target of attack main frame, when state changes, collect recording and sending and represent module to attack.
After each step of attacking was accomplished, the target of attack state variation data passes that attack director data bag, attack feedback data packet and the target of attack main frame collection module of the collection of attack source main frame collection module are collected represented module to network attack.
5. attack and represent
5.1 describe the attack initial state with graphics mode: attack source main frame and target of attack main frame use " computer " legend to represent respectively, and mark IP, state or the like information; Connect with indicating line between the two;
5.2 with the graphic animations mode, the data receiver of describe attacking each step to and data send content: show that with one the legend of attacking command content moves to the animation effect of target of attack along line from the attack source, describe the attack implementation;
5.3, describe the feedback of target of attack: show that with one the legend of attacking feedback content moves to the animation effect of target of attack along line from target of attack, describe and attack feedback procedure to attack operation with the graphic animations mode;
5.4 with the graphic animations mode, describe the state variation of target of attack, and finally describe attack result: reception data mode, feedback data state and quilt with different symbolic representation targets of attack are broken through state or the like.
Embodiment 2---the basic stack overflow attack implementation process of Linux
1. the analysis of attack knowledge, tissue and standardization
1.1 utilize the knowledge base collection module, attack and leak announcement website from CVE is international, quote the standard to describe of the basic stack overflow attack of Linux;
1.2 by the 1.1 basic stack overflow attack knowledge descriptions of Linux that obtain is the basis, utilizes the KBM module, operates down the user, and the basic stack overflow attack of 3Linux is decomposed and describes, describes parameters such as the type of attack, required software environment;
Attack step:
1:telnet?192.168.1.1
2:cp?meet.o
3:f/bi?n/sh -meet.o
Target of attack: the main frame that Linux2.22 kernel and open telnet function are installed;
Attack result: corresponding system internal memory stack overflow can read the data of X position behind the internal memory;
1.3 the KBM module is described as attacking command sequence with the attack operation step that is obtained in each decomposable process with the standardization mode, describes concrete network attack operation, operating data content and parameter, operation delay and expection feedback, feedback content and analyzes or the like;
Being described as after the decomposition:
Attack process is described as a series of attack command sequences:
Attack (0) (initialization): #%TARGENT_IP%#=xxxx, #%TARGENT_USER%#=guest, #%USED_APP_1%#=" meet.o "
attack(1)=”telnet#%TARGET_IP%#”
result(1)=”*Connection?accepted?by?remote?host*”=ok
attack(1)=”cp#%USED_APP_1%#”
result(1)=”1file?copied”=ok
attack(2)=net use\\#%TARGENT_IP%#\ipc$″″/user:″
#%TARGENT_USER%#″
... (summary)
Attack result is described: authority (guest)=administrors
Attack context configuration: the full version of target of attack=WinXP; Patch level=SP3; Application program=no requirement (NR);
1.4 attack, attack step are stored classifiedly according to characteristic
With each step of above-mentioned attack, classify by action type, and indicate with a specific instruction, write down the relevant parameter of each instruction;
To attack title (" Linux stack overflow attack "), attack type (flooding) carries out record, and corresponding attack context is required (target of attack=linux kernel 2.22; Patch level=no requirement (NR); Application program=no requirement (NR)) carries out record;
2. attack context is prepared
2.1 confirm attack context: attack context is Linux (requiring kernel 2.22 versions);
2.2 confirm target of attack and parameter: IP, user name that target of attack is set;
2.3 based on the requirement of depositing attack context, the configuration target of attack makes it to meet the attack requirement;
2.3.1 the operating system of configuration target of attack: requiring attack context is Linux; (method: from virtual machine library, extract corresponding blank Linux virtual machine file, as the target of attack main frame.)
2.3.2 the application system of configuration target of attack: this example does not have;
2.3.3 the relevant setting of configuration target of attack: corresponding IP, user account and the auxiliary application program of attacking in the configuration target of attack main frame.
3. controllable execution of attack
3.1 from the network attack knowledge base, read attack step knowledge, and search corresponding attack command sequence.Promptly read the listed attack command sequence of above-mentioned steps 1.3, and extract wherein variable (---variable #%TARGENT_IP%#, attack number of the account---#%TARGENT_USER%# etc.), auxiliary attack tool #%USED_APP_1%# like target of attack IP.
3.2 the network attack automatic execution module loads corresponding aggressinogen child-operation module according to attacking command sequence, carries out the network attack operation of this step, and collects corresponding attack feedback information;
In the 0th step, by attack script instruction, carry out Attack (0) and attack initialization procedure: the user is provided with corresponding attack configuration parameter: as the main frame that target of attack is set is the IP of the target of attack virtual machine set up just now.
The 1st step, press the attack script instruction, carry out Attack (1), press script and variate-value structure and carry out the attack instruction, obtain corresponding feedback;
3.3 the repeat attack step is carried out, till attacking the command sequence completion;
4. the data collection of attack process
4.1 the attack of each step is sent data and is attacked feedback data in above-mentioned steps 3 controllable execution of attack, is collected, record, and sends to network attack and represent module;
When each step in the attack script was carried out, attack source main frame collection module was collected the attack of attack source main frame when carrying out each attack step and is sent data and attack feedback data; Target of attack main frame collection module is collected the status data in the target of attack main frame.For example, when Attack (1) carries out, " telnet xxx.xx.xxx.xx " by attack source main frame collection module record, corresponding telnet connect by target of attack main frame collection module record.
4.2 simultaneously, extract the status data in the target of attack main frame, when state changes, collect recording and sending and represent module to attack.
After each step of attacking was accomplished, the target of attack state variation data passes that attack director data bag, attack feedback data packet and the target of attack main frame collection module of the collection of attack source main frame collection module are collected represented module to network attack.
5. attack and represent
5.1 describe the attack initial state with graphics mode: attack source and target of attack main frame use " computer " legend to represent respectively, and mark IP, state or the like information; Connect with indicating line between the two;
5.2 with the graphic animations mode, the data receiver of describe attacking each step to and data send content: show that with one the legend of attacking command content moves to the animation effect of target of attack along line from the attack source, describe the attack implementation;
5.3, describe the feedback of target of attack: show that with one the legend of attacking feedback content moves to the animation effect of target of attack along line from target of attack, describe and attack feedback procedure to attack operation with the graphic animations mode;
5.4 with the graphic animations mode, describe the state variation of target of attack, and finally describe attack result: reception data mode, feedback data state and quilt with different symbolic representation targets of attack are broken through state or the like.
The foregoing description is a preferred implementation of the present invention; But execution mode of the present invention is not limited by the examples; Other any do not deviate from change, the modification done under spirit of the present invention and the principle, substitutes, combination, simplify; All should be the substitute mode of equivalence, be included within protection scope of the present invention.

Claims (9)

1. network attack automatic execution comprises a plurality of or attack source main frame, a plurality of or target of attack main frame, it is characterized in that, also comprises:
The network attack knowledge base is used to collect typical attack knowledge, sets up the attack knowledge sample; Through analyzing, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack knowledge, attack step are stored classifiedly according to characteristic;
Network attack environment generation module; Be used for searching corresponding attack knowledge based on attack type from the network attack knowledge base, i.e. attack context, target of attack and parameter are based on the requirement of depositing attack context; The operating system and the application system of configuration target of attack make it to meet the attack requirement;
The network attack automatic execution module is used for according to the attack type requirement, in the network attack knowledge base, searches the attack command sequence that the standardization mode is described, and carries out attack based on attacking command sequence; Said network attack automatic execution module comprises a plurality of aggressinogen child-operation modules that are used for based on the corresponding attack operation of attack script instruction execution; The network attack automatic execution module is based on the attack command sequence that finds; Load and attack the pairing aggressinogen child-operation of command sequence module, carry out and attack;
The network attack data collection module is used for attack source main frame and target of attack host machine attack process content transmitted data, status information data are collected, and sends to network attack to data of collecting and represent module;
Network attack represents module, is used for the data according to the collection of network collection module, to attack process and the execution of attacking generation, represents in real time on graphical interfaces through analogy method.
2. according to the said network attack automatic execution of claim 1, it is characterized in that said network attack automatic execution further comprises:
The network attack control management module is used for network attack automatic execution/represent process to manage, control.
3. according to the said network attack automatic execution of claim 1, it is characterized in that said network attack knowledge base comprises:
The knowledge base collection module is used to collect typical attack knowledge, sets up the attack knowledge sample;
The KBM module is used for safeguarding the also attack knowledge in phase-split network attack knowledge storehouse, is decomposed into attack knowledge a plurality of attack operation steps and describes type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack, attack step are stored classifiedly according to characteristic.
4. according to the said network attack automatic execution of claim 1, it is characterized in that said network attack data collection module comprises:
Attack source main frame collection module is used to collect the attack of attack source main frame when carrying out each attack step and sends data and attack feedback data;
Target of attack main frame collection module is used for collecting the status data of target of attack main frame.
5. according to the said network attack automatic execution of claim 1, it is characterized in that said network attack automatic execution module is the network attack automatic execution module that realizes that automatic overall process attack is carried out or the controlled attack of single step is carried out.
6. a network attack automatic execution is characterized in that, may further comprise the steps:
The collection of S1, attack knowledge, analysis and standardization are described: collect typical attack knowledge to greatest extent, set up the attack knowledge sample; Through analyzing, be decomposed into attack knowledge a plurality of attack operation steps and describe type, the required software environment of attacking; Each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Attack knowledge, attack step are stored classifiedly according to characteristic; The said typical attack knowledge of collecting to greatest extent; Specifically be meant through manual type or automated manner; Attack the description website from particular network and collect, download, the content of wherein collecting specifically comprises the classification of attack, the target property of attack, the detailed process of attack, the leak of attack and the result of attack;
By analysis said; Attack knowledge is decomposed into a plurality of attack operation steps and describes type, the required software environment of attacking, specifically be meant, be the basis with the attack knowledge sample of collecting; Under user guided; By the automated analysis instrument, carry out the decomposition of attack knowledge, attack process is decomposed into a plurality of attack operation steps; Be attack operation, target of attack, attack parameter, attack feedback, feedback processing, by the automated analysis instrument type, the required software environment of attacking described simultaneously;
Said each the attack operation step that is obtained in the decomposable process is described as attacking command sequence with the standardization mode; Be meant that specifically the standardization mode is described concrete network operation, operating data content and parameter, operation delay and expection feedback, feedback content analysis; Described standardization mode is described, and is meant the attack script instruction of the corresponding various attack of definition operation, and is template with this directive script, and attack process is described as a series of attack command sequence;
S2, attack context are prepared: from the network attack knowledge base, search corresponding attack knowledge based on attack type; Be attack context, target of attack and parameter; Based on the requirement of depositing attack context, the operating system and the application system of configuration target of attack make it to meet the attack requirement;
S3, controllable execution of attack: from the network attack knowledge base, read the knowledge of attack operation step, and search its corresponding command sequence of attacking; The network attack automatic execution module loads corresponding aggressinogen child-operation module according to attacking command sequence, carries out the attack operation of this step, and collects corresponding attack feedback information; The repeat attack step is carried out, till attacking the sequence instruction completion;
S4, attack process and result's data collection: collect, the attack of attack source main frame when carrying out each attack step sent data and attacked feedback data among the recording step S3, and send to network attack and represent module; Simultaneously, extract the status data in the target of attack main frame, when state changes, collect recording and sending and represent module to network attack;
S5, attack and to represent: network attack represent module represent between each main frame, each main frame with graphics mode connect, data passes content, each main machine status information between each main frame.
7. according to the said network attack automatic execution of claim 6; It is characterized in that said step S2 attack context is prepared, specifically be meant the target of attack environment that the configuration attack is carried out; From the network attack knowledge base, extract and attack required environment configurations requirement; Give in the operating side of being attacked on the main frame, carry out the corresponding configuration-direct of attacking, accomplish re-mounting, restart, starting/close the function of special services.
8. according to the said network attack automatic execution of claim 6; It is characterized in that among the said step S3, the network attack automatic execution module is according to the requirement of attacking command sequence; Load corresponding aggressinogen child-operation module; Give this aggressinogen child-operation module with the attack parameter data, carry out and attack, and obtain the corresponding feedback data.
9. according to the said network attack automatic execution of claim 6; It is characterized in that; Among the said step S5, it is that network state is followed the tracks of display module that network attack represents module, behind the data collection result who uses based on the standard interface receiving step S4 of XML; With graphics mode the attack initial state is described; With the graphic animations mode, describe the data receiver of each attack step and send content, describe target of attack, and finally describe attack result the feedback of attack operation, the state variation of description target of attack to reaching data.
CN2009101935015A 2009-10-30 2009-10-30 Network attack automatic execution/exhibition system and method Expired - Fee Related CN101699815B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101935015A CN101699815B (en) 2009-10-30 2009-10-30 Network attack automatic execution/exhibition system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101935015A CN101699815B (en) 2009-10-30 2009-10-30 Network attack automatic execution/exhibition system and method

Publications (2)

Publication Number Publication Date
CN101699815A CN101699815A (en) 2010-04-28
CN101699815B true CN101699815B (en) 2012-08-15

Family

ID=42148260

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101935015A Expired - Fee Related CN101699815B (en) 2009-10-30 2009-10-30 Network attack automatic execution/exhibition system and method

Country Status (1)

Country Link
CN (1) CN101699815B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368965B (en) * 2013-07-18 2018-04-17 北京随方信息技术有限公司 A kind of method of work that network security specification is mapped as to the attribute specification corresponding to network
CN103428215B (en) * 2013-08-12 2017-03-22 广东电网公司电力调度控制中心 Method and system for generating attack traffic of data network
CN104219221A (en) * 2014-05-30 2014-12-17 郭瑞 Network security flow generating method and network security flow generating system
CN104778073B (en) * 2015-04-17 2018-01-16 广东电网有限责任公司信息中心 A kind of safe attacking and defending experiment porch of novel information and its implementation
CN106817382A (en) * 2015-11-30 2017-06-09 北京计算机技术及应用研究所 Attack test platform based on tool agent
CN107357796B (en) * 2016-05-10 2021-08-06 阿里巴巴(中国)有限公司 Network information acquisition method, equipment and programmable equipment
CN106302412A (en) * 2016-08-05 2017-01-04 江苏君立华域信息安全技术有限公司 A kind of intelligent checking system for the test of information system crushing resistance and detection method
US10614222B2 (en) * 2017-02-21 2020-04-07 Microsoft Technology Licensing, Llc Validation of security monitoring through automated attack testing
CN107360061A (en) * 2017-08-08 2017-11-17 上海斐讯数据通信技术有限公司 A kind of attack test system and method for wireless router
CN108040070A (en) * 2017-12-29 2018-05-15 北京奇虎科技有限公司 A kind of network security test platform and method
CN109413088B (en) * 2018-11-19 2020-08-04 中国科学院信息工程研究所 Method and system for decomposing threat handling strategy in network
CN109815703A (en) * 2018-12-29 2019-05-28 360企业安全技术(珠海)有限公司 The demenstration method and server, terminal, system of computer virus operation
CN110098951A (en) * 2019-03-04 2019-08-06 西安电子科技大学 A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system
CN111245806A (en) * 2020-01-06 2020-06-05 北京航天测控技术有限公司 Network security test method, device and platform, storage medium and electronic device
CN111988322B (en) * 2020-08-24 2022-06-17 北京微步在线科技有限公司 Attack event display system
CN113572660B (en) * 2021-07-27 2022-06-17 哈尔滨工大天创电子有限公司 Demonstration method, device, terminal and storage medium based on network attack and defense simulation
CN114301640B (en) * 2021-12-15 2023-09-01 中电信数智科技有限公司 Attack and defense exercise method and system based on SRv6 network protocol

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694454A (en) * 2005-05-10 2005-11-09 西安交通大学 Active network safety loophole detector
CN101282332A (en) * 2008-05-22 2008-10-08 上海交通大学 System for generating assaulting chart facing network safety alarm incident
CN101447991A (en) * 2008-11-19 2009-06-03 中国人民解放军信息安全测评认证中心 Test device used for testing intrusion detection system and test method thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694454A (en) * 2005-05-10 2005-11-09 西安交通大学 Active network safety loophole detector
CN101282332A (en) * 2008-05-22 2008-10-08 上海交通大学 System for generating assaulting chart facing network safety alarm incident
CN101447991A (en) * 2008-11-19 2009-06-03 中国人民解放军信息安全测评认证中心 Test device used for testing intrusion detection system and test method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
龙灿.《新型网络攻击实验平台关键技术的研究与实现》.《新型网络攻击实验平台关键技术的研究与实现》.2007, *

Also Published As

Publication number Publication date
CN101699815A (en) 2010-04-28

Similar Documents

Publication Publication Date Title
CN101699815B (en) Network attack automatic execution/exhibition system and method
Tian et al. A real-time correlation of host-level events in cyber range service for smart campus
CN100463461C (en) Active network safety loophole detector
CN108200030A (en) Detection method, system, device and the computer readable storage medium of malicious traffic stream
CN110430190A (en) Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method
CN104268085B (en) A kind of discovering software vulnerabilities system and method based on attributes extraction
CN106453386A (en) Automatic internet asset monitoring and risk detecting method based on distributed technology
CN103780614B (en) A kind of SQL injection loophole method for digging based on simulated strike extension
CN104283889A (en) Electric power system interior APT attack detection and pre-warning system based on network architecture
CN104009881A (en) Method and device for system penetration testing
CN111209570B (en) Method for creating safe closed loop process based on MITER ATT & CK
Ashok et al. PowerCyber: A remotely accessible testbed for Cyber Physical security of the Smart Grid
CN105975863A (en) Method for evaluating and calculating information security risk of power distribution automation terminal equipment
CN114036059A (en) Automatic penetration testing system and method for power grid system and computer equipment
CN116566674A (en) Automated penetration test method, system, electronic equipment and storage medium
Zamiri-Gourabi et al. Gas what? i can see your gaspots. studying the fingerprintability of ics honeypots in the wild
CN109960937B (en) Method and system for constructing vulnerability drilling environment
CN111756762A (en) Vehicle safety analysis method and device, electronic equipment and storage medium
CN113824736B (en) Asset risk handling method, device, equipment and storage medium
CN115333806A (en) Penetration test attack path planning method and device, electronic equipment and storage medium
KR102134357B1 (en) System for testing cyber security of nuclear power plant and method thereof
Årnes et al. Using a virtual security testbed for digital forensic reconstruction
Higuera et al. Building a dataset through attack pattern modeling and analysis system
Deptula Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model
Abu et al. Comparative study of cyber threat intelligence framework

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120815

Termination date: 20131030